Solved

Terminal Services Client Configuration

Posted on 2004-04-30
5
589 Views
Last Modified: 2010-04-19
I have two locations, main and an offsite, the offsite has speed issues over over the t1's so we installed and setup an Windows 2003 Terminal Server for use by those at the offsite. What we want to do is while they are at the offsite make the computers there into peusdo dummy terminals that will only allow them to log on to the Terminal Server, but if they came over to the main site it would act as a normal workstation on the network.

Basically comes down to how to force those worstations at the offsite to not give the option to logon to the normal desktop but only log onto the Terminal Server and give no access to the local machine.

Can this be done and how if possible?
0
Comment
Question by:MJDevos
  • 3
  • 2
5 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 10959757
MJDevos
If you had 2 AD sites, then you could setup a GPO on the secondary site that locked down the desktops to this degree. However when they came to the other site, they would probably need a second reboot to refresh the GPO that allowed them access to the computer desktop.

Basically we are looking at a GPO that would take away all user access, except to the TS client and only then to you TS Server.

Yup, it can be done, using Site Based GPOs, configurable from AD Sites and Services snapin


Cheers

JamesDS
0
 

Author Comment

by:MJDevos
ID: 10959810
Current configuration is that there is 1 Domain, I have worked with GPO but I have not seen any policies that would lock down the workstations to this degree. If it is configured from GPO then could you not make a AD group with just those computers and just apply the policy just to those computers?

Could you please show me where to look in GPO to set this up?

Thanks.
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 250 total points
ID: 10960264
MJDevos
You can't apply a GPO to a group and have it apply to those member of the group.

You CAN create a GPO for ALL machines or ALL users and filter it with group membership to only the machines or users you are interested in.

Look in the GPO settings for "allowed applications":
USER      Administrative Templates\System      Run only allowed Windows applications

Also consider a logon script that calls the TS client with a configuration file that connects them directly to your TS server.


Cheers

JamesDS
0
 

Author Comment

by:MJDevos
ID: 10960512
You can apply GPO to a group, that is how we dictate what a normal, administrator, or all users are effected by the group policy.

We currently have groups that distinguish this, for example everyone will have Automatic Updates and Offline files govern by GPO, For normal users the machine will be locked down further, administrators will not be 'hindered' by the additional locked governed by the GPO. Then Terminal Server users will have a different desktop dictated by the local GPO rather than the domain GPO to differentiate the two.

Just depends on how you setup your GPO and with how many polices and if they can or can not be overriden. But to assign just to a group you do the following....

1. From AD right click over the domain and go to properties.
2. Click on the Group Policy Tab
3. Select the Group Policy you want to change
4. Click on the Properties button
5. Click on the Security tab
6. If this has never been changed then you will see the group 'Authenticated Users' this will include everyone normal or administrators. Remove this group, then add the group that you dictate that are to be govern by this GP and check Read Access and Apply Group Policy.

Other GP will or might override this GP depending on how you have them setup.

---

I will try this later today and possibly Monday and see if this will do what we need it to do. Thanks for the insight so far on the problem.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10963014
MJDevos
You cannot apply a GPO to a group.

You can apply a GPO to a User or a Machine and filter the setting by using groups, but applying the GPO to an OU containing only groups will not have any effect. This is as you describe above, but the process is referred to as "GPO filtering using apply or deny groups"

Let me know how you get on with your changes

Cheers

JamesDS
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question